Wearable Health Tech: A Privacy Paradox for Professionals and Users
As wearable health devices like **Oura Rings**, **Garmin** watches, and **Apple Watches** become ubiquitous, their privacy and security postures are increasingly under scrutiny. Despite collecting highly sensitive personal health data, many of these devices lack crucial protections such as transparency reports and end-to-end encryption, raising significant concerns for IT security professionals and privacy-conscious users alike.
Every year, more and more tech devices promise to monitor our health and fitness, guiding us toward healthier living and providing useful health metrics. However, few of these tools provide the privacy and security assurances we demand from all technology, especially those capturing personal health data.
Surveys suggest that around 40 percent of people in the United States own some form of commercially available wearable health device. Despite being marketed as health devices, they often lack special health-related privacy protections. Companies often collect an abundance of data, sharing it with third parties for marketing, influencing insurance rates, or training artificial intelligence models.
Health data is increasingly relevant in law enforcement and government investigations. Wearable data has been critical in a number of cases, with information about heart rate and steps used to determine individuals' whereabouts. Surveillance company **Penlink** even identifies fitness trackers as an βoverlooked sourceβ for law enforcement, noting their ability to reveal movement patterns and heart rate changes. Law enforcement can attempt to access this data through subpoenas or warrants.
Our focus here is on two critical facets of health data privacy: whether companies share information with law enforcement and governments, and if they offer end-to-end encryption, which prevents the company itself from accessing health data.
We reviewed public-facing policies and contacted ten major consumer health product companies:
* **Amazfit**
* **Apple**
* **Coros**
* **Garmin**
* **Google** (including **Fitbit**)
* **Hume**
* **Oura**
* **Polar**
* **Suunto**
* **Whoop**
Hereβs what we found.
## Transparency Reports Are Few and Far Between
Companies should provide transparency reports detailing how often they provide data to the government, distinguishing between official demands and unofficial requests. While we have long advocated for tech companies to publish transparency reports, the practice remains rare, particularly among fitness gadget manufacturers.
Only two of the companies surveyed, **Apple** and **Google** (which owns **Fitbit**), currently publish transparency reports. **Apple**, **Google**, and **Whoop** publicly state policies to notify users of law enforcement requests.
**Oura** also updated its privacy policy in June 2026, promising to notify users and actively evaluate ways to provide greater visibility, such as through a transparency report. This is a promising development, and we hope **Oura** commits to full transparency reports.
Similarly, **Suunto**, while not currently publishing transparency reports, expressed openness to doing so, stating, βWe continuously evaluate our transparency practices and may publish additional information, such as a transparency report, in the future.β Such reports are invaluable for understanding potential law enforcement access to our data.
We found no public statements or email responses regarding notification or transparency reports from the other companies.
Any company handling data of interest to law enforcement and governments owes it to its users to publish transparency reports and, when legally possible, notify users when that data is requested. This is especially critical for personal health data, which can reveal sensitive movements and activities.
## End-to-End Encrypted Data Is Far Too Rare of a Feature
End-to-end encryption ensures that personal data is accessible only by the user, not the device manufacturer or cloud storage provider. While commonly associated with messaging apps like **Signal** or **WhatsApp**, it's also used by password managers and has been implemented by **Ring** for its cameras. There is no technical reason it cannot be offered for wearables.
For wearable health devices, end-to-end encryption would enable secure cloud storage, allowing data to be synced and backed up between a device and a phone app in a way that only the user's devices can access it.
Support for end-to-end encryption is even rarer than transparency reports.
The **Apple Watch**, specifically for data stored in the **Apple Health** app, is the only popular fitness wearable that supports end-to-end encryption. This feature is enabled by default for all users, provided two-factor authentication is also active (which is default for most accounts).
However, **Apple Watch** owners should note that this protection applies only to data within the **Apple Health** app. If data is used by other apps, shared with third parties like **Strava**, or synced with other wearables like an **Oura Ring**, that data is likely *not* end-to-end encrypted by the third-party company.
**Apple** stands alone in offering end-to-end encryption. No other popular consumer health wearable provides this for the data it collects and stores online β not **Google**, not **Garmin**, not **Oura**. Most companies offer encryption in transit and at rest, but this still allows them to access and use your data. While this is the industry standard, it doesn't have to be.
Another viable option would be more robust local-storage capabilities. Some devices, like certain **Garmin** and **Polar** watches, can operate without syncing data to the cloud. However, some models have limited functionality without online synchronization. More comprehensive options for restricting data to just the wearable and its paired phone app are needed.